Andrew Tridgell wrote:> > Alan wrote:> > Nice idea. IMHO however the fix is to stop people writing applications> > that use /tmp for everything. /tmp was a great idea once upon a time. Its> > value nowdays is a bit questionable. Better that daemons use /var/run> > and applications $HOME/.files> > I generally agree, its just that I think its hard to actually change> all those programs (and programmers) out there that use /tmp. > > I also think that the change does in fact breath new life into> /tmp. Are there any /tmp related security holes that it doesn't fix? > There probably are some, its just that I can't think of them right> now.> > Anyway, I've updated my patch slightly. I changed it so that symlinks> owned by root are not affected. This is safe and means it breaks less> things. > > With my original patch I found that one thing broke on my mail> server. I had a link called "tridge" owned by root in /var/spool/mail> that pointed to /home/tridge/InBox (due to a transition in mailer> behaviour). I also had /var/spool/mail world writeable with the t bit> set. My original patch meant I couldn't run programs that referenced> /var/spool/mail/tridge.> > This is now the active bit of the patch:> > if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&> inode->i_uid != 0 &&> current->fsuid != inode->i_uid) {> iput(dir);> iput(inode);> *res_inode = NULL;> return -EPERM;> }>

I apologize if my comment is incorrect, but as I understand, you dothe following: if the directory has bit 't' set and the user does notown the file that the symlink points to, your patch does not allow tofollow the symlink.

Suppose that I am a hacker on a system with your patch applied. Supposemy goal is to create a symlink from /tmp/abc to /.rhosts (for example).That is, I would like to